IETF Logo Mail Archive

Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

Alec Fenichel <alec.fenichel@transnexus.com> Thu, 21 October 2021 22:42 UTC

Return-Path: <alec.fenichel@transnexus.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0133A0E0D for <stir@ietfa.amsl.com>; Thu, 21 Oct 2021 15:42:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=transnexus.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXcDRFvXiAL4 for <stir@ietfa.amsl.com>; Thu, 21 Oct 2021 15:42:30 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2088.outbound.protection.outlook.com [40.107.94.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87ACE3A0E09 for <stir@ietf.org>; Thu, 21 Oct 2021 15:42:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MivSXyuQz9dYk4HlaYqHEC3rAWswOQ13RKBzRUKKzaPS+PYkHaxbqB/2/xPsPA1nCxJv5CB0ZbEA879B0LkLvtmMYX0NqhNxUUvZ1v9Q0p8v7SZ9RZTj7s8xIOuzbhdSCKl2MzNv3Py9t6Eh28bCiLjM0r6kljfs8yzOoYtV6TaGNhyCnpaAJfSJa+Z1fZJDwEKVti2BcF6dLN5ZpylDvZttKT3aM9XIWM0WTwud8dUJHbkHOCnFXwgwkBQ3Zthc2t/bFs1FhfblLu7oHROLlhoPzR2szTddm87c35d9+6ApdDXne5w6m2lq0CS2jqvCW7vKHet05OMLXTcnADsMDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=H7E2AgeqWWiNvXNZXJB9ORj+dWu7J8+uGf0ywdNPmTE=; b=OiS/C3V9WXAGLJLIKv+k/n0Yu+cfkSrcqH8Tp/N5oSsmsVWbZcurdcI1Xc01GmoUmATREHcgOyffDE2wX3IzCFW6V0l5DFVuR3d8JYbOTXyXGZtnUPTiq3kj/ObqC63GJijTFIdWtY21/KoFVIo/CDAht0TSF58CAa3GyiSPSP+cR7iHHZKQaFxOC+5mbs2IKbJQn7Y1iH5WJdoymF5/5buqIxBJxQJOQTOev0q+GJ4OsM94ZT3iIguKL7pWjcdjhQh/+zHlxThMYBg3YDSNd7LJ43Txf/F+86VQXEl1U64FEYLqUOfxcIfgIZLOS84WSNfYlReevZZCq0FzN1WQYQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=transnexus.com; dmarc=pass action=none header.from=transnexus.com; dkim=pass header.d=transnexus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transnexus.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H7E2AgeqWWiNvXNZXJB9ORj+dWu7J8+uGf0ywdNPmTE=; b=cLB9I+Z8nBNTzQy3NSdnj25KBy+fwtaK7RmyQ3+6Ew2nLH4FVjuudap/M2jTd0krGHbtxBgLz5BlnxqhIkbCdUkbQye87yeKtZtaeNWUThzxn8yKE/GJl5pHkEVGFPtqjg8zrRKWywDsn1ld9yVbB2A3Op/k5c2WfauQzYfMyQI=
Received: from BN6PR11MB3921.namprd11.prod.outlook.com (2603:10b6:405:81::20) by BN6PR11MB4115.namprd11.prod.outlook.com (2603:10b6:405:80::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4608.17; Thu, 21 Oct 2021 22:42:24 +0000
Received: from BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::91e7:43e2:7c72:a2e4]) by BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::91e7:43e2:7c72:a2e4%5]) with mapi id 15.20.4628.018; Thu, 21 Oct 2021 22:42:24 +0000
From: Alec Fenichel <alec.fenichel@transnexus.com>
To: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>, IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: draft-ietf-stir-passport-rcd-13 rcdi validation
Thread-Index: AdfFnr87c2vxVfrsRiOmBanuACp+5QADi8ZgAEfHnVY=
Date: Thu, 21 Oct 2021 22:42:24 +0000
Message-ID: <BN6PR11MB39219FF1E620B0BAAF8D3DE199BF9@BN6PR11MB3921.namprd11.prod.outlook.com>
References: <AM5PR83MB035516622330F5CD32DF0B5588BE9@AM5PR83MB0355.EURPRD83.prod.outlook.com> <AM5PR83MB03550434535973C05F84E8C688BE9@AM5PR83MB0355.EURPRD83.prod.outlook.com>
In-Reply-To: <AM5PR83MB03550434535973C05F84E8C688BE9@AM5PR83MB0355.EURPRD83.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-10-20T10:21:11.0000000Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=transnexus.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 409cf884-e2c8-4895-975f-08d994e40d1b
x-ms-traffictypediagnostic: BN6PR11MB4115:
x-microsoft-antispam-prvs: <BN6PR11MB4115E8F694D1E76597DE957999BF9@BN6PR11MB4115.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kdOZp88lMf/qz/Mw7zmfmp5segqs4LBuMuGGCxD4snChma18hgmFlcp8ZYz/9CRZbl6/F8V7fmqXWfaJNaA1lWJesNIZWlpqAcQplEQ59CczmBl5ZqnE9ZHyj9CL35UTc5u4DXjTMWAsBFSKzL40yQgONrawGHI65PQul1+RVvz/OVhzlvfmfn/aw7apvylUHYRQo9fsaaulKOhQFT+enUj1asVZvHV7XwS/CENPIoBlHrIuH/AXC/ufozW1fbFtlWlCQsboC/9P2t5mtHdrg7kVUV14gMTWHbrMj7J8cFn4zzD7+/PyhD+dcDI5NxOt4IMREX4qJKwLwBiHKQV0d/VCoU0N0TpdhO/OiZajTIfAxbqEA5rAW39jyMS4vCtKIjwvf+bej/u9ZR0SlHfV9Ed8/mjb+Pr5saiaTwx0l8TJEWwTfGsO//UVQGA3J9uAZSNCw1C06nL5hUfOr6efS2mataX+kgU+7td6l/dy7WXLy80M33utO+1vAyXAHHfkXP92CxI+iT3F6aI+wdAYl/mIl7FlT7n/1qeMq+sMPasExZT9ElLM2maqf4rOytfA2T5kxoizCBkEl24gOLVbMDgJKZ20qIB8hybGJU4jplRgIRw+7VeT3K8f/FgA1bf3idILHVVvzZd08Ghe2Ex/2rsRdix5CqN+za3/bsOkqJs6T8qa4uZs4Nh57MVzH9de
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR11MB3921.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(39830400003)(366004)(136003)(376002)(186003)(5660300002)(8676002)(44832011)(33656002)(76116006)(508600001)(83380400001)(45080400002)(66476007)(9686003)(7696005)(122000001)(40140700001)(66574015)(316002)(110136005)(86362001)(71200400001)(8936002)(64756008)(66446008)(99936003)(166002)(55016002)(66556008)(26005)(52536014)(38100700002)(38070700005)(2906002)(6506007)(66946007)(53546011)(10090945008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dbElEAnvwni3PEDvaE8uAxe3jKTKQlBPNDYQJUpHU6zT4IwqPS7yffSsQ9ZQTwAyCWGhbdmvSt/OxmIuR0rhc9hsRsvOshk2piJCgaziVCr3AbAjkHdhBgTLYVxlKE+GR3iYGC2aRrIFz8LhajeAKyNEEwXCZFHb8x5mvOblf1SFRSVDsjWTzSgjGaTKqa3hrDPd+iY4E3OrVB3MGl3+nMmZ7tS/x+7aL8rX0LFyaM+DgrOAv1INeR4Qa4fpCa9gZS+kygF6Bi1UW0dplnuaqJVpxBZk7Qz/Hz8kTbG1GzUwqdTCWOaEfgAywaGt7c6G21w+bCZU9yg3UuXzNME3u2yjA5e522Gm3UFkKFDaYEFtvR4iS9+TPsdYC769dPUqoQ31/LgOInMpQhvs0R2HbaQe8q2WbE0pldrkFciUHjv9rQYNKt0Zg29ltv7ClJbX/zLTtYx3070jq/q/87OOpgYurm25Lip3xjtAO1erx8i/spqNu6rjSMPRcNNxtdEA/ri9BbhJrX+thmv2pvswvhcj1M/OMMDroLKAlpEMbg1FdbrS4t2x+C/w0DhzhuznjAjQqIr+o424lGi35/pOmCp7g14+fV9x8EVHGKtztptuFKL2zPCLH3HgPJbhn0XQOf7HfuQ3zr9fPyXwG1VDcq9GoxMna5E4+76GSgO8YaZaAa1Ok/jVl1I0aPZDzuN8MGMyWvU/hQq6gD0nG7CbGXNYBCRdIig+sSftXhMHPloiRWugcJlW1Um4WJSYrLHcEg/g74xi2bzoqJbBm3QkYuAwMjvVkDszVh0dTkOnveD9edNA2zuuBcDBxrLgfLNpSZCQUWYlxl8w5bz/2UFVHsB6Rk+QzAhgkhd8IahZc/tV7UP1rigRJ4UawL5Yn6rUfHC8BSkfAgiOgvcjXjLYWzwmmolpHdyFwAEg8CW7r7jmWYO7d3Xx0kRKcUasIORfZhPXg7EOO2HSC4IajYtT6g9HMat2M2kCVqWtlMQODV8thmTB+czfyMj5ccP1JZi52N/jo5koS9yDQlqXOb1+cxCfyiO5ya8dFIc3Wsd+TK5zsnO0rz+tNa/f5HAIfPY/r/D41JIZ606T46FrHbOZ+r2dwsiDYuMkhbfhTG9yW4bchwUhMuCXhmnaa3UWt5Z464jbF284CmaxZrdECoiZ2lU8coIwhqm8pFq/0q7dVhH7YMngSxfxLI1QnW2pm752QRsehLPtJcHarnS9zHJ4Sp/77cE+aSi/iFXFOXdLutt04Dd03IDXvvYnso3a44xD2qY+m0xHvXc6R6ynRbbPYUMqv4WULR1uXKNFUN9RhdRkDPmOa4OZEfNEaTFhO+XLvPihHSbtqunEjlc+7Ufbkw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_A22AAEF9-8B99-434D-A72C-4ABCBB5F9CF2_"
MIME-Version: 1.0
X-OriginatorOrg: transnexus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB3921.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 409cf884-e2c8-4895-975f-08d994e40d1b
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2021 22:42:24.1622 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8e2972a2-d21d-49ac-b005-18e8ceaadee3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: alec.fenichel@transnexus.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB4115
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/aVMoWnkaJ83CG3IJdOTc0Jzp2KU>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 22:42:36 -0000

Agreed!

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: stir <stir-bounces@ietf.org> on behalf of Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>
Date: Wednesday, October 20, 2021 at 08:30
To: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

You don't often get email from jack.rickard=40microsoft.com@dmarc.ietf.org. http://aka.ms/LearnAboutSenderIdentification" rel="nofollow">Learn why this is important

An additional thing I’ve just thought of: it’s ~impossible for a verification service to know which URLs in the jCard need an rcdi entry (for example, a link to your website doesn’t need one), but it’s very easy for the end entity, it needs an rcdi entry for any URL it dereferences.

 

From: stir <stir-bounces@ietf.org> On Behalf Of Jack Rickard
Sent: 20 October 2021 12:37
To: IETF STIR Mail List <stir@ietf.org>; Russ Housley <housley@vigilsec.com>
Subject: [EXTERNAL] [stir] draft-ietf-stir-passport-rcd-13 rcdi validation

 

Hi all,

 

To clarify things, and hopefully reduce the number of rounds of review, this is a write-up of my position (and hopefully some alternative positions) on rcdi validation.

 

rcdi is a mechanism to ensure the integrity of the rcd information, and so any entity that retrieves/uses the rcd information clearly must validate that information against the rcdi digests, otherwise it could not trust what it had downloaded.

 

However, any verification service that does not need to retrieve the RCD information, cannot and possibly should not always retrieve and validate it, for a few reasons:

  1. There isn’t enough time – downloading and validating all the data (or in fact any data) takes a prohibitively long time, especially as an intermediate verification service does not know which bits of data are going to be used.
  2. The data could change – even if an intermediate does perform the validation, the end entity must repeat this as the information it retrieves could very well be different to what the intermediate validated.
  1. There was discussion in the meeting of a TSP that rehosted the RCD information, in that case it is the end entity in this discussion and realistically needs its own integrity mechanism on what it has rehosted.
  1. An intermediate could reject something that the end entity would accept – downloading information from the internet is not perfectly reliable, there could be firewall issues, or just temporary server issues that cause an intermediate validator to not be able to get the RCD information, in which case it would fail to validate the passport and throw out all the rcd information (and potentially all the STIR information). An end entity does not have to do this, it might be able to retrieve items the intermediate cannot, it might not want all the information in the first place, and in the worst case it can gracefully degrade the rcd information it cannot access.

 

Taking all of that, I believe that the rcd and rcdi information should be treated as “valid” in the context of PASSporT verification if the data in the PASSporT is correct (this would include checking JWTClaimConstraints), but not depend on any of the referenced information’s integrity.

 

There is a question there about “/rcd”,”/nam”, and “/apn” digests, for the sake of simplicity I’d suggest they also aren’t required to be checked by the verifier, but I don’t believe it matters.

 

There are some issues with this approach though:

  1. Security is more complicated – this split validation model introduces extra complexity to the security of RCD information in PASSporTs. As far as I can tell, this wouldn’t introduce any new attack vectors, but does place a greater burden on the end entity doing things correctly.
  2. This introduces a new entity – I don’t believe any previous documents have made a distinction between the end entity and verification services, just focusing on authentication services and verification services. This introduces actions that this end entity must perform for the system to conform to the standard.

 

 

Those issues are not enough to change my mind; however, I welcome different opinions and there are almost certainly more I haven’t thought of or weren’t discussed.

 

Thanks,

Jack Rickard
he/him
Software Engineer
jack.rickard@microsoft.com

Microsoft

 

 

 

 

v2.23.0 | Report a Bug | By Email